b"            EVALUATION REPORT\n\n\n\n                      Independent Evaluation of NRC\xe2\x80\x99s\n                        Implementation of the Federal\n                    Information Security Management Act\n                         (FISMA) for Fiscal Year 2005\n\n                     OIG-05-A-21      September 30, 2005\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                         September 30, 2005\n\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum/RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   INDEPENDENT EVALUATION OF NRC\xe2\x80\x99S\n                           IMPLEMENTATION OF THE FEDERAL\n                           INFORMATION SECURITY MANAGEMENT ACT\n                           (FISMA) FOR FISCAL YEAR 2005 (OIG-05-A-21)\n\nAttached please find the Office of the Inspector General\xe2\x80\x99s report, Independent\nEvaluation of NRC\xe2\x80\x99s Implementation of the Federal Information Security\nManagement Act (FISMA) for Fiscal Year 2005. This report reflects the results of\nthe independent evaluation performed by Richard S. Carson & Associates, Inc.,\non behalf of the NRC Office of the Inspector General.\n\nBasing this review on the Office of Management and Budget\xe2\x80\x99s criteria for FISMA\ncompliance, Richard S. Carson & Associates, Inc., determined that the NRC\xe2\x80\x99s\ninformation security program has several weaknesses.\n\nDuring an exit conference on September 22, 2005, NRC officials provided\ncomments concerning the draft audit report and subsequently opted not to submit\nformal written comments to this report.\n\nIf you have any questions or wish to discuss this report, please call me at\n415-5915 or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cDistribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety andT\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nWilliam N. Outlaw, Director of Communications\nWilliam N. Outlaw, Acting Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nPaul H. Lohaus, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                           Independent Evaluation of\n                          NRC\xe2\x80\x99s Implementation of the\n                 Federal Information Security Management Act\n                              For Fiscal Year 2005\n\n\n\n\n                            Contract Number: GS-00F-0001N\n                          Delivery Order Number: DR-36-03-346\n\n                                                 September 30, 2005\n\n\n\n\nThe views, opinions, and findings contained in this report are those of the authors and should not be construed as an official Nuclear Regulatory\n                       Commission position, policy, or decision, unless so designated by other official documentation.\n\x0c[Page intentionally left blank]\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nEXECUTIVE SUMMARY\n\n\nBACKGROUND\n\n           On December 17, 2002, the President signed the E-Government Act of 2002, which\n           included the Federal Information Security Management Act (FISMA) of 2002. FISMA\n           outlines the information security management requirements for agencies, which includes\n           an annual independent evaluation of the agency\xe2\x80\x99s information security program1 and\n           practices to determine their effectiveness. This evaluation must include testing of the\n           effectiveness of information security policies, procedures, and practices of a\n           representative subset of the agency\xe2\x80\x99s information systems. FISMA requires the annual\n           evaluation to be performed by the agency\xe2\x80\x99s Inspector General (IG) or by an independent\n           external auditor.\n\n           Office of Management and Budget (OMB) memorandum M-05-15, FY 2005 Reporting\n           Instructions for the Federal Information Security Management Act and Agency Privacy\n           Management, dated June 13, 2005, requires the agency\xe2\x80\x99s IG to complete the Reporting\n           Template for Agency IGs. That template, along with any additional narrative the IG feels\n           provides meaningful insight into the status of the agency\xe2\x80\x99s security or privacy program, is\n           submitted to OMB as part of the agency\xe2\x80\x99s annual FISMA report.\n\n           Richard S. Carson and Associates, Inc., (Carson Associates) performed an independent\n           evaluation of the Nuclear Regulatory Commission\xe2\x80\x99s (NRC) implementation of FISMA\n           for FY 2005. This report presents the results of that independent evaluation. Carson\n           Associates also prepared the Reporting Template for Agency IGs, along with additional\n           narrative, for inclusion in the agency\xe2\x80\x99s annual FISMA report. The Reporting Template\n           for Agency IGs and the additional narrative is included as Appendix C to this report.\n\n           The OIG also asked Carson Associates to evaluate the agency\xe2\x80\x99s compliance with the\n           Privacy Act. This request was made prior to OMB\xe2\x80\x99s issuance of the FY 2005 FISMA\n           reporting guidelines, which also include a requirement to report on implementation of the\n           Privacy Act.\n\nPURPOSE\n\n           The objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s\n           implementation of FISMA for FY 2005.\n\n\n\n\n1\n    NRC uses the term information security program to describe its program for ensuring that various types of\n    sensitive information are handled appropriately and are protected from unauthorized disclosure in accordance with\n    pertinent laws, Executive orders, management directives, and applicable directives of other Federal agencies and\n    organizations. For the purposes of FISMA, the agency uses the term automated information security program.\n\n\n                                                           i\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nRESULTS IN BRIEF\n\n      While major deficiencies exist, NRC has made improvements to its automated\n      information security program. For example:\n\n         \xe2\x80\xa2   The agency has corrected 66 percent of its program level weaknesses and 7\n             percent of its system level weaknesses reported on its plans of action and\n             milestones (POA&Ms).\n         \xe2\x80\xa2   The agency developed templates for risk assessments, security plans, security test\n             and evaluation plans, security test and evaluation reports, contingency plans, and\n             contingency plan test reports. The templates and instructions for their use are\n             available on the NRC information technology (IT) security Web page. The\n             templates were developed to ensure security documentation supporting system\n             certification and accreditation is consistent with guidelines from the National\n             Institute of Standards and Technology (NIST). The templates include a section or\n             sections that specifically identify action items resulting from the certification and\n             accreditation process to ensure corrective actions are tracked.\n         \xe2\x80\xa2   The agency requires that the system certification package contain a spreadsheet of\n             the plan to resolve issues identified during the certification process. This\n             requirement is also presented on the agency\xe2\x80\x99s IT security Web page.\n         \xe2\x80\xa2   The agency modified the security plan template and the NRC version of the self-\n             assessment based on NIST Special Publication (SP) 800-26, Self-Assessment\n             Guide for Information Technology Systems, to ensure security protection\n             requirements (confidentiality, integrity, and availability) are consistently defined.\n\n      However, the independent evaluation identified the following automated information\n      security program weaknesses.\n\n         \xe2\x80\xa2   The majority of NRC systems have not been categorized in accordance with\n             Federal Information Processing Standards (FIPS) Publication 199, Standards for\n             Security Categorization of Federal Information and Information Systems.\n         \xe2\x80\xa2   Agency self-assessments are not timely.\n         \xe2\x80\xa2   Annual contingency plan testing is not being performed.\n         \xe2\x80\xa2   The agency does not maintain documentation that demonstrates systems provided\n             by other Federal agencies meet FISMA requirements.\n         \xe2\x80\xa2   Oversight of other contractor systems is lacking.\n         \xe2\x80\xa2   The agency\xe2\x80\x99s inventory of information systems is only 51-70 percent complete\n             because (1) information in the two systems that maintain inventory information is\n             inaccurate and inconsistent and (2) only one system contains information on\n             system interfaces and that information is also inaccurate and inconsistent. In\n             addition, the agency\xe2\x80\x99s inventory is not maintained and updated annually.\n\n\n\n\n                                               ii\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n        \xe2\x80\xa2   E-authentication risk assessments completed in accordance with OMB M-04-04,\n            E-Authentication Guidance for Federal Agencies, are incorrect and inconsistent\n            with the systems\xe2\x80\x99 FIPS 199 security categorizations.\n        \xe2\x80\xa2   The agency is not always following OMB\xe2\x80\x99s POA&M guidance and the metrics\n            submitted to OMB deviate from the actual POA&Ms.\n        \xe2\x80\xa2   The majority of the agency\xe2\x80\x99s operational information systems (19 of 27) are\n            operating under an interim authorization to operate (IATO), and therefore are not\n            considered certified and accredited.\n        \xe2\x80\xa2   The agency lacks procedures for ensuring employees with significant IT security\n            responsibilities receive security training and awareness.\n\nRECOMMENDATIONS\n\n     This report makes recommendations to the Executive Director for Operations to improve\n     NRC\xe2\x80\x99s automated information security program and implementation of FISMA. A\n     consolidated list of recommendations appears on page 25 of this report.\n\nAGENCY COMMENTS\n\n     The OIG provided this report in draft to agency officials and discussed its content at an\n     exit conference on September 22, 2005. We modified the report as we determined\n     appropriate in response to our discussion. Agency officials generally agreed with the\n     report\xe2\x80\x99s findings and recommendations and opted not to include formal comments.\n\n\n\n\n                                              iii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              iv\n\x0c                                                                            Independent Evaluation of\n                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nABBREVIATIONS AND ACRONYMS\n\n\nADAMS               Agencywide Document Access and Management System\nAIS                 Automated Information System\nCarson Associates   Richard S. Carson and Associates, Inc.\nCFR                 Code of Federal Regulations\nCIO                 Chief Information Officer\nData Center         Data Center/Telecommunications System\nDDMS                Digital Data Management System\nEARS                Enterprise Architecture Repository System\nEHD                 Electronic Hearing Docket\nEIE                 Electronic Information Exchange\nERDS                Emergency Response Data System\nETS                 Emergency Telecommunications System\nFIPS                Federal Information Processing Standard\nFISMA               Federal Information Security Management Act\nFY                  Fiscal Year\nGLTS                General License Tracking System\nHLW EHD             High Level Waste Electronic Hearing Docket\nHPCS                High Performance Computing System\nIATO                Interim Authorization to Operate\nIG                  Inspector General\nIPSS                Integrated Personnel Security System\nIT                  Information Technology\nITSSTS              Information Technology Systems Security Tracking System\nLAN/WAN             Local Area Network/Wide Area Network\nLSN                 Licensing Support Network\nLTS                 License Tracking System\nMD                  Management Directive\nNIST                National Institute of Standards and Technology\nNRC                 Nuclear Regulatory Commission\nOCIMS               Operations Center Information Management System\n\n\n\n                                              v\n\x0c                                                            Independent Evaluation of\n                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nOIG       Office of the Inspector General\nOIS       Office of Information Services\nOMB       Office of Management and Budget\nOPM       Office of Personnel Management\nPOA&M     Plan of Action and Milestones\nRPS       Reactor Program System\nSP        Special Publication\nSQL       Structured Query Language\nTAC       Technology Assessment Center\nUS-CERT   United States Computer Emergency Readiness Team\nU.S.C.    United States Code\n\n\n\n\n                                   vi\n\x0c                                                                                                 Independent Evaluation of\n                                                                                  NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nTABLE OF CONTENTS\n\n\nExecutive Summary ....................................................................................................... i\n\n1 Background .............................................................................................................. 1\n\n2 Purpose .................................................................................................................... 1\n\n3 Findings.................................................................................................................... 1\n    3.1  Agency and Contractor Systems ................................................................... 3\n    3.2  Agency Performance of FISMA Activities ..................................................... 5\n         3.2.1 Certification and Accreditation............................................................................5\n         3.2.2 Security Control Test and Evaluation ..................................................................6\n         3.2.3 Contingency Planning and Testing ......................................................................8\n    3.3 Agency Oversight.......................................................................................... 10\n    3.4 Agency System Inventory ............................................................................ 12\n    3.5 E-Authentication............................................................................................ 14\n    3.6 Assessment of the POA&M Process ........................................................... 15\n    3.7 Assessment of the Certification and Accreditation Process..................... 18\n    3.8 Agency Security Configuration Policy ........................................................ 19\n    3.9 Incident Detection and Handling Procedures ............................................. 20\n    3.10 Security Awareness and Training................................................................ 21\n    3.11 Agency Compliance with the Privacy Act ................................................... 23\n4 Consolidated List of Recommendations ............................................................. 25\n\n5 OIG Response to Agency Comments .................................................................. 26\n\n\nAppendices\n\n    Appendix A: Scope and Methodology ............................................................... 27\n    Appendix B: Status of Contingency Plan Testing ............................................ 29\n    Appendix C: FY 2005 FISMA Reporting Template for Agency Inspectors\n                General and Additional Narrative ................................................. 33\n\n\n\n\n                                                              vii\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              viii\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n1        Background\n\nOn December 17, 2002, the President signed the E-Government Act of 2002, which included\nFISMA.2 FISMA outlines the information security management requirements for agencies,\nwhich includes an annual independent evaluation of the agency\xe2\x80\x99s information security program\nand practices to determine their effectiveness. This evaluation must include testing of the\neffectiveness of information security policies, procedures, and practices of a representative\nsubset of the agency\xe2\x80\x99s information systems. FISMA requires the annual evaluation to be\nperformed by the agency\xe2\x80\x99s IG or by an independent external auditor.\n\nOMB memorandum M-05-15 requires the agency\xe2\x80\x99s IG to complete the Reporting Template for\nAgency IGs. That template, along with any additional narrative the IG feels provides meaningful\ninsight into the status of the agency\xe2\x80\x99s security or privacy program, is submitted to OMB as part\nof the agency\xe2\x80\x99s annual FISMA report.\n\nCarson Associates performed an independent evaluation of NRC\xe2\x80\x99s implementation of FISMA for\nFY 2005. This report presents the results of that independent evaluation. Carson Associates also\nprepared the Reporting Template for Agency IGs, along with additional narrative, for inclusion\nin the agency\xe2\x80\x99s annual FISMA report. The Reporting Template for Agency IGs and the\nadditional narrative is included as Appendix C to this report.\n\nThe OIG also asked Carson Associates to evaluate the agency\xe2\x80\x99s compliance with the Privacy\nAct.3 This request was made prior to OMB\xe2\x80\x99s issuance of the FY 2005 FISMA reporting\nguidelines, which also include a requirement to report on implementation of the Privacy Act.\n\n2        Purpose\n\nThe objective of this review was to perform an independent evaluation of NRC\xe2\x80\x99s implementation\nof FISMA for FY 2005.\n\n3        Findings\n\nWhile major deficiencies exist, NRC has made improvements to its automated information\nsecurity program.\n\n    \xe2\x80\xa2    The agency has corrected 66 percent of its program level weaknesses and 7 percent of its\n         system level weaknesses reported on its POA&Ms.\n\n\n\n2\n  The Federal Information Security Management Act of 2002 was enacted on December 17, 2002, as part of the E-\n  Government Act of 2002 (Public Law 107-347), and replaces the Government Information Security Reform Act,\n  which expired in November 2002.\n3\n  The Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a), As Amended, was enacted to balance the Government\xe2\x80\x99s need to\n  maintain information about individuals with the rights of individuals to be protected against unwarranted invasions\n  of their privacy resulting from the collection, maintenance, use, and disclosure of personal information. The\n  Privacy Act safeguards confidentiality by limiting or restricting disclosure of personally identifiable records\n  maintained by Federal agencies.\n\n\n                                                          1\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n   \xe2\x80\xa2   The agency developed templates for risk assessments, security plans, security test and\n       evaluation plans, security test and evaluation reports, contingency plans, and contingency\n       plan test reports. The templates and instructions for their use are available on the NRC\n       IT security Web page. The templates were developed to ensure security documentation\n       supporting system certification and accreditation is consistent with guidelines from NIST.\n       The templates include a section or sections that specifically identify action items resulting\n       from the certification and accreditation process to ensure corrective actions are tracked.\n   \xe2\x80\xa2   The agency requires that the system certification package contain a spreadsheet of the\n       plan to resolve issues identified during the certification process. This requirement is also\n       presented on the agency\xe2\x80\x99s IT security Web page.\n   \xe2\x80\xa2   The agency modified the security plan template and the NRC version of the self-\n       assessment based on NIST SP 800-26 to ensure security protection requirements\n       (confidentiality, integrity, and availability) are consistently defined.\n\nHowever, the independent evaluation identified the following automated information security\nprogram weaknesses.\n\n   \xe2\x80\xa2   The majority of NRC systems have not been categorized in accordance with FIPS 199.\n   \xe2\x80\xa2   Agency self-assessments are not timely.\n   \xe2\x80\xa2   Annual contingency plan testing is not being performed.\n   \xe2\x80\xa2   The agency does not maintain documentation that demonstrates systems provided by\n       other Federal agencies meet FISMA requirements.\n   \xe2\x80\xa2   Oversight of other contractor systems is lacking.\n   \xe2\x80\xa2   The agency\xe2\x80\x99s inventory of information systems is only 51-70 percent complete because\n       (1) information in the two systems that maintain inventory information is inaccurate and\n       inconsistent and (2) only one system contains information on system interfaces and that\n       information is also inaccurate and inconsistent. In addition, the agency\xe2\x80\x99s inventory is not\n       maintained and updated annually.\n   \xe2\x80\xa2   E-authentication risk assessments completed in accordance with OMB M-04-04 are\n       incorrect and inconsistent with the systems\xe2\x80\x99 FIPS 199 security categorizations.\n   \xe2\x80\xa2   The agency is not always following OMB\xe2\x80\x99s POA&M guidance and the metrics submitted\n       to OMB deviate from the actual POA&Ms.\n   \xe2\x80\xa2   The majority of the agency\xe2\x80\x99s operational information systems (19 of 27) are operating\n       under an IATO, and therefore are not considered certified and accredited.\n   \xe2\x80\xa2   The agency lacks procedures for ensuring employees with significant IT security\n       responsibilities receive security training and awareness.\n\nThe following sections present the detailed findings from the independent evaluation. The\nformat of the following sections is based on the FY 2005 FISMA Reporting Template for\nAgency IGs, which can be found in Appendix C.\n\n\n\n                                                 2\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n3.1      Agency and Contractor Systems\n\nAgency Systems\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 1.a\n\n                                    Table 3-1. FY 05 Agency Systems\n                               FIPS 199 Risk              Total             Number\n                                Impact Level             Number            Reviewed\n                             High                              4                0\n                             Moderate                          4                0\n                             Low                               0                0\n                             Not Categorized                  19                0\n                             Total                            27                0\n\nNRC has a total of 30 production systems. Of the 30, 12 are general support systems4 (all\noperational), and 18 are major applications5 (15 operational, 3 in development). As required by\nFISMA, the NRC Office of the Inspector General (OIG) selected five NRC operational systems\nfor evaluation during the FY 2005 FISMA independent evaluation. However, during a status\nmeeting with the agency, the OIG learned that the certification and accreditations of the systems\nchosen for evaluation had either expired and the systems are operating under an IATO, or were\ndue to expire in FY 2005, and that their re-certification and re-accreditation would not be\ncompleted before completion of the FY 2005 FISMA independent evaluation. Furthermore,\nthere were no other systems to substitute because they were either reviewed during the FY 2004\nFISMA independent evaluation, or had certification and accreditations that were due to expire\nbefore the end of the year. Without enough systems with current certification and accreditations,\nCarson Associates could not perform an evaluation of a representative subset of agency systems\nfor the FY 2005 FISMA independent evaluation.\n\nContractor Systems\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 1.b\n\n                                  Table 3-2. FY 05 Contractor Systems\n                               FIPS 199 Risk              Total             Number\n                                Impact Level             Number            Reviewed\n                             High                             0                 0\n                             Moderate                         0                 0\n                             Low                              0                 0\n                             Not Categorized                  7                 0\n                             Total                            7                 0\n4\n  A general support system is an interconnected set of information resources under the same direct management\n  control that share common functionality. Typical general support systems are local and wide area networks,\n  servers, and data processing centers.\n5\n  A major application is a computerized information system or application that requires special attention to security\n  because of the risk and magnitude of harm that would result from the loss, misuse, or unauthorized access to or\n  modification of the information in the application.\n\n\n                                                          3\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\nNRC has a total of seven systems operated by a contractor or other organization on behalf of the\nagency (two major applications and five general support systems). Of the seven, three are\noperated by other Federal agencies, two are operated by federally funded research and\ndevelopment centers, and two are operated by contractors supporting the agency. The OIG did\nnot review any of the seven systems operated by a contractor or other organization on behalf of\nthe agency for evaluation during the FY 2005 FISMA independent evaluation, as there were no\npotential candidates to review. Of the seven, four6 were evaluated during the FY 2004 FISMA\nindependent evaluation (three operated by other Federal agencies and one operated by a federally\nfunded research and development center), and therefore were not candidates for review in FY\n2005. The other three systems operated by a contractor or other organization on behalf of the\nagency were not candidates for evaluation in FY 2005 because there was not sufficient\ninformation available to perform an evaluation. The agency stated that in FY 2005 it would be\nperforming self-assessments in accordance with NIST SP 800-26 on its contractor systems.\nHowever, the self-assessments were not completed in time for inclusion in the FY 2005 FISMA\nindependent evaluation.\n\nMajority of NRC Systems Have Not Been Categorized in Accordance With FIPS 199\n\nFIPS 199 requires all agencies to categorize their information and information systems. The\nsecurity categories are based on the potential impact on an organization should certain events\noccur which jeopardize the information and information systems needed by the organization to\naccomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its\nday-to-day functions, and protect individuals. All systems must be categorized using FIPS 199\nby February 2005.\n\nHowever, despite the requirement to categorize all systems by February 2005, Carson Associates\nfound that the majority of NRC information systems, including systems operated by a contractor\nor other organization on behalf of the agency, have not been categorized in accordance with FIPS\n199. Specifically, only 8 of the 27 operational NRC information systems have been categorized\nand none of the contractor systems have been categorized.\n\nNot only is security categorization required by FIPS 199, it is needed to select the minimum\nsecurity controls for a system as defined in NIST SP 800-53, Recommended Security Controls\nfor Federal Information Systems. As a result, the agency cannot determine the appropriate\nminimum security controls for its information systems and cannot determine whether the current\ncontrols for the information systems are adequate.\n\n\n\n\n6\n    The FY 2004 FISMA independent evaluation included a review of three contractor operations and facilities. These\n    three contractor operations and facilities support a total of four agency systems operated by a contractor or other\n    organization on the behalf of the agency.\n\n\n                                                            4\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      1. Categorize all NRC information systems, including systems operated by a contractor or\n         other organization on behalf of the agency, in accordance with FIPS 199.\n\n3.2      Agency Performance of FISMA Activities\n\n3.2.1 Certification and Accreditation\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 2.a\n\n                    Table 3-3. Number of Systems Certified and Accredited\n                    FIPS 199 Risk\n                                         Agency       Contractor         Total\n                     Impact Level\n                  High                      1              0               1\n                  Moderate                  0              0               0\n                  Low                       0              0               0\n                  Not Categorized           7              3              10\n                  Total                     8              3              11\n\nAgency Systems\n\nAs stated previously, during a status meeting with the agency the OIG learned that the\ncertification and accreditations of some agency information systems had either expired and the\nsystems are operating under an IATO, or were due to expire in FY 2005. Specifically, only 8 of\nthe 27 operational NRC information systems have full authorization to operate (i.e., they have a\ncurrent certification and accreditation). The lack of systems with current certification and\naccreditations prompted OIG to request Carson Associates to undertake an overall review of the\nNRC\xe2\x80\x99s certification and accreditation efforts. Section 3.7 of this report discusses the OIG\xe2\x80\x99s\nassessment of the agency\xe2\x80\x99s certification and accreditation process in detail.\n\nContractor Systems\n\nOf the seven systems operated by a contractor or other organization on behalf of the agency, only\nthree have been certified and accredited. These three systems are operated by other Federal\nagencies. NRC presumes that the two Federal agencies that operate these systems are also\nfollowing FISMA and NIST guidelines (these agencies have not allowed NRC to conduct their\nown review). Carson Associates verified that there are agreements in place with the two Federal\nagencies providing services to NRC and that the agreements include requirements to comply\nwith applicable Federal and respective agency information systems security policies, mandates,\nand instructions. However, the agency does not maintain copies of all certification and\naccreditation documentation for these systems. The other four systems operated by a contractor\nor other organization on behalf of the agency have not been certified and accredited.\n\n\n\n\n                                                  5\n\x0c                                                                                            Independent Evaluation of\n                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n3.2.2 Security Control Test and Evaluation\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 2.b\n\n           Table 3-4. Number of Systems With Tested and Evaluated Security Controls\n                        FIPS 199 Risk\n                                                  Agency          Contractor           Total\n                         Impact Level\n                      High                            2                 0                2\n                      Moderate                        2                 0                2\n                      Low                             0                 0                0\n                      Not Categorized                14                 3               17\n                      Total                          18                 3               21\n\nAgency Systems\n\nFISMA requires agencies to test and evaluate the security controls of every information system\nidentified in their inventory no less than annually. The necessary depth and breadth of an annual\nFISMA review depends on several factors such as (1) the potential risk and magnitude of harm to\nthe system or data, (2) the relative comprehensiveness of last year\xe2\x80\x99s review, and (3) the adequacy\nand successful implementation of the POA&M for weaknesses in the system. For example, if\nlast year a system underwent a complete certification and accreditation, this year a relatively\nsimple update or maintenance review using NIST\xe2\x80\x99s self-assessment guidance may be sufficient,\nprovided it has been adequately documented within the agency. Previous OMB FISMA\nguidance stated agencies must use NIST SP 800-26 to conduct their annual reviews. The FY\n2005 FISMA guidance allows agencies to continue to use NIST SP 800-26, or to conduct a self-\nassessment against the controls found in NIST SP 800-53.\n\nNRC meets the FISMA requirement to test and evaluate the security controls of agency\ninformation system by performing annual self-assessments on the systems. As in previous years,\nNRC developed self-assessment templates for major applications and general support systems.\nFor FY 2005 NRC also developed a site self-assessment template for security assessments at\nregional offices, resident inspector sites, NRC locations other than headquarters and the regional\noffices, and contractor sites hosting NRC information systems. The NRC self-assessment\ntemplates are based on NIST SP 800-26 and include references to NIST SP 800-53 to provide a\ngeneral indication of control coverage. While the templates include references to NIST SP 800-\n53, the intent is not to perform a self-assessment against the controls found in NIST SP 800-53,\nbut rather to provide organizations with a general indication of control coverage.\n\nAs of September 12, 2005, Carson Associates has only received self-assessments for 18 of\nNRC\xe2\x80\x99s 27 operational information systems.7 The first self-assessment was not received until\nSeptember 2, 2005. Subsequent to completion of field work, the agency provided self-\nassessments for the other nine operational systems. However, these self-assessments were not\nprovided in time to review.\n\n\n\n7\n    One of the self-assessments addresses eight individual general support systems.\n\n\n                                                            6\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nContractor Systems\n\nOf the seven systems operated by a contractor or other organization on behalf of the agency, only\nthree have had their security controls tested and evaluated in the last year. These three systems\nare operated by other Federal agencies. NRC presumes that the two Federal agencies that\noperate these systems are also following FISMA and NIST guidelines (these agencies have not\nallowed NRC to conduct their own review), and have therefore conducted an annual review.\nHowever, the agency does not request a copy of the annual review for these systems from the\nother Federal agencies.\n\nAs previously discussed, the agency stated that in FY 2005 it would be performing self-\nassessments on its contractor systems. However, Carson Associates has not received any self-\nassessments for the four other systems operated by a contractor or other organization on behalf\nof the agency. Subsequent to completion of field work, the agency provided self-assessments for\nthe four other systems operated by a contractor or other organization on behalf of the agency.\nHowever, these self-assessments were not provided in time to review.\n\nAgency Self-Assessments Are Not Timely\n\nAs stated previously, NRC meets the requirement for annual test and evaluation of security\ncontrols for agency information systems by conducting self-assessments. The agency includes\nself-assessment activities in its POA&Ms. The majority of self-assessments were scheduled for\ncompletion by August 1, 2005, according to the 3rd Quarter FY 2005 POA&Ms submitted to\nOMB. The agency also stated that it would be conducting self-assessments on regional offices,\nresident inspector sites, NRC locations other than headquarters and the regional offices, and\ncontractor sites hosting NRC information systems.\n\nHowever, despite the requirement to perform annual test and evaluation of security controls for\nagency information systems, and despite the agency\xe2\x80\x99s commitment to complete self-assessments\nby August 1, 2005, Carson Associates found that self-assessments have been completed for only\n18 of the agency\xe2\x80\x99s 27 operational information systems (as of September 12, 2005). As a result,\nthe agency is not meeting FISMA requirements for performing annual test and evaluation of\nsecurity controls.\n\nLack of self-assessments also impacts the completeness of the OIG\xe2\x80\x99s independent evaluation of\nthe agency\xe2\x80\x99s implementation of FISMA. As required by FISMA, the OIG selects a subset of\nagency information systems for evaluation. In addition to the detailed review of the subset of\nagency information systems, the OIG also performs a high level review of all agency information\nsystems by reviewing their current self-assessments. However, for the FY 2005 FISMA\nindependent evaluation, the agency did not provide the OIG with the self-assessments in time to\nperform the high level review.\n\n\n\n\n                                                7\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   2. Complete annual self-assessments for FY 2006 no later than August 1, 2006, and\n      thereafter.\n\n3.2.3 Contingency Planning and Testing\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 2.c\n\n              Table 3-5. Number of Systems With Tested Contingency Plans\n                   FIPS 199 Risk\n                                        Agency        Contractor        Total\n                    Impact Level\n                 High                      0              0               0\n                 Moderate                  1              0               1\n                 Low                       0              0               0\n                 Not Categorized           2              3               5\n                 Total                     3              3               6\n\nAgency Systems\n\nNIST SP 800-34, Contingency Planning Guide for Information Technology Systems, states that\ncontingency plans should be tested at least annually and when significant changes are made to\nthe information system, supported business process(s), or the contingency plan. As of September\n12, 2005, Carson Associates has only received results of contingency plan testing for 3 of NRC\xe2\x80\x99s\n27 operational information systems. Subsequent to the completion of field work, Carson\nAssociates was informed that contingency plan testing had been performed on 10 additional\nagency systems (8 of which are general support systems resulting from the decomposition of the\nagency\xe2\x80\x99s local area network/wide area network general support system). However, the agency\nhas not provided documentation indicating the testing has been completed.\n\nContractor Systems\n\nOf the seven systems operated by a contractor or other organization on behalf of the agency, only\nthree have had their contingency plans tested in the last year. These three systems are operated\nby other Federal agencies. NRC presumes that the two Federal agencies that operate these\nsystems are also following FISMA and NIST guidelines (these agencies have not allowed NRC\nto conduct their own review), and have therefore performed an annual contingency plan test of\ntheir systems. However, the agency does not verify that the contingency plans have been tested\nand evaluated for these systems on an annual basis. The agency does not have contingency plans\nfor the other four systems operated by a contractor or other organization on behalf of the agency.\n\n\n\n\n                                                 8\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nAnnual Contingency Plan Testing Is Not Being Performed\n\nAs stated previously, NIST SP 800-34 states that contingency plans should be tested at least\nannually. However, despite this requirement, Carson Associates found that only 3 of the\nagency\xe2\x80\x99s 27 operational information systems have had their contingency plans tested in FY 2005.\n\nThe 3rd Quarter FY 2005 POA&Ms the agency submitted to OMB included information on the\nstatus of contingency plan testing for the agency\xe2\x80\x99s 24 operational information systems that have\nnot yet had their contingency plans tested. According to the 3rd Quarter FY 2005 POA&Ms, the\ndelays in testing the contingency plans are related to the delays in certifying and accrediting the\nsystems. The following is a summary of the reasons for the delays for the 24 systems that have\nnot had their contingency plans tested in FY 2005. See Appendix B for additional details on the\nstatus of contingency plan testing.\n\n   \xe2\x80\xa2   Of the 24, 18 are undergoing re-certification and re-accreditation (6 of the 18 have a\n       current certification and accreditation and the other 12 have an expired certification and\n       accreditation and are operating under an IATO).\n   \xe2\x80\xa2   Of the 24, 4 are undergoing certification and accreditation for the first time.\n   \xe2\x80\xa2   Of the 24, 1 is scheduled to be transitioned to a research and development role by\n       December 31, 2005, and would no longer require certification and accreditation.\n   \xe2\x80\xa2   Of the 24, 1 was not included with the 3rd Quarter FY 2005 POA&Ms, but this system is\n       new, and is undergoing certification and accreditation for the first time.\n\nThe testing of contingency plans is essential in determining whether plans will function as\nintended in an emergency situation. Without testing, the agency has limited assurance that it will\nbe able to recover mission-critical applications, business processes, and information in the event\nof an unexpected interruption. Even a minor interruption could result in lost or incorrectly\nprocessed data if the contingency plan has not been tested.\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   3. Develop and implement procedures to ensure contingency plans are tested annually,\n      regardless of the status of the systems\xe2\x80\x99 certification and accreditation.\n\n\n\n\n                                                 9\n\x0c                                                                                             Independent Evaluation of\n                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n3.3        Agency Oversight\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 3.a\n\n3.a. The agency performs oversight and evaluation to ensure                             Mostly, for example,\ninformation systems used or operated by a contractor of the agency                      approximately 81-95% of\nor other organization on behalf of the agency meet the requirements                     the time\nof FISMA, OMB policy and NIST guidelines, national security\npolicy, and agency policy. Self-reporting of NIST Special\nPublication 800-26 requirements by a contractor or other\norganization is not sufficient, however, self-reporting by another\nFederal agency may be sufficient.\n\nFISMA requires agencies to provide information security protections commensurate with the risk\nand magnitude of harm resulting from unauthorized access, use, disclosure, disruption,\nmodification, or destruction of (1) information collected or maintained by or on behalf of the\nagency and (2) information systems used or operated by an agency or other organization on\nbehalf of an agency.8 OMB M-05-15 provides examples of agency security responsibilities\nconcerning contractors and other sources. OMB M-05-15 describes the following primary\ncategories of contractors as they relate to securing systems and information.\n\n       \xe2\x80\xa2   Service providers \xe2\x80\x93 encompasses typical outsourcing of system or network operations,\n           telecommunications services, or other managed services. OMB states that agencies are\n           fully responsible and accountable for ensuring all FISMA and related policy requirements\n           are implemented and reviewed and such must be included in the terms of the contract.\n           Agencies must ensure identical, not \xe2\x80\x9cequivalent,\xe2\x80\x9d security procedures. For example,\n           annual reviews, risk assessments, security plans, control testing, contingency planning,\n           and certification and accreditation must, at a minimum, explicitly meet guidance from\n           NIST. NRC has three contractor systems that fit in this category. All three of these\n           systems are operated by other Federal agencies.\n       \xe2\x80\xa2   Contractor support \xe2\x80\x93 encompasses on or offsite contractor technical or other support\n           staff. As with service providers, OMB states that agencies are fully responsible and\n           accountable for ensuring all FISMA and related policy requirements are implemented and\n           reviewed and such must be included in the terms of the contract. Agencies must ensure\n           identical, not \xe2\x80\x9cequivalent,\xe2\x80\x9d security procedures. Specifically, the agency is responsible\n           for ensuring the contractor personnel receive appropriate training (i.e., general and\n           specific). NRC has two contractor systems that fit in this category.\n       \xe2\x80\xa2   Government-owned, contractor-operated facilities \xe2\x80\x93 includes federally funded\n           research and development centers. OMB states that these facilities are agency\n           components and their security requirements are identical to those of the managing\n           Federal agency in all respects. Security requirements must be included in the terms of the\n           contract. NRC has two contractor systems that fit in this category. The managing\n           Federal agency for one of the systems is NRC and the other is another Federal agency.\n\n8\n    Information systems used or operated by a contractor of an agency or other organization on behalf of the agency\n    refers to information systems that the agency considers to be either major applications or general support systems.\n\n\n                                                            10\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\nAgency Does Not Maintain Documentation That Demonstrates Systems Provided By\nOther Federal Agencies Meet FISMA Requirements\n\nNRC presumes that the two Federal agencies that operate three of the seven contractor systems\nare also following FISMA and NIST guidelines (these agencies have not allowed NRC to\nconduct their own review). Carson Associates verified that there are agreements in place with\nthe two Federal agencies providing services to NRC and that the agreements include\nrequirements to comply with applicable Federal and respective agency information systems\nsecurity policies, mandates, and instructions. Carson Associates also verified that the agency has\ncopies of current security plans for two of the three systems. However, the agency does not (1)\nmaintain copies of all certification and accreditation documentation for these systems, (2) verify\nthat the security controls have been tested and evaluated for these systems on an annual basis,\nand (3) verify that the contingency plans have been tested and evaluated for these systems on an\nannual basis.\n\nRECOMMENDATIONS\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   4. Maintain current copies of certification and accreditation memoranda for systems\n      provided by other Federal agencies.\n   5. Maintain current copies of self-assessments for systems provided by other Federal\n      agencies.\n   6. Maintain current copies of annual contingency plan testing results for systems provided\n      by other Federal agencies.\n\nOversight of Other Contractor Systems Is Lacking\n\nThe agency has not performed sufficient oversight and evaluation of four of the seven contractor\nsystems to ensure the information systems meet requirements of FISMA, OMB policy, NIST\nguidelines, and agency policy. The agency stated that for two of the four systems (the two\ncontractor support systems), security guidelines are written into the relevant contracts and the\ncontractors must follow NRC security procedures. However, the agency has no documentation\ndemonstrating that these systems meet FISMA requirements, specifically the requirement for\ncertification and accreditation, annual testing and evaluation of security controls, and annual\ncontingency plan testing. Carson Associates could not determine how NRC performs oversight\nof the other two contractor systems (the two federally funded research and development centers).\n\nOversight of other contractor systems is lacking because the agency lacks procedures for\nperforming this oversight. For example, Management Directive (MD) and Handbook 12.5, NRC\nAutomated Information Security Program, require all NRC major applications and general\nsupport systems to be certified and accredited, and describes the procedures for accomplishing\ncertification and accreditation. However, MD and Handbook 12.5 do not describe procedures for\ncertifying and accrediting major applications and general support systems operated by a\ncontractor or other organization on behalf of the agency.\n\n\n                                                11\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\nRECOMMENDATION\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      7. Develop and implement procedures for performing oversight of major applications and\n         general support systems operated by a contractor or other organization on behalf of the\n         agency.\n\n3.4       Agency System Inventory\n\nFY 2005 FISMA Reporting Template for Inspectors General Questions 3.b, 3.c, 3.d, 3.e\n\n3.b. The agency has developed an inventory of major information             Approximately 51-70%\nsystems (including major national security systems) operated by or          complete\nunder the control of such agency, including an identification of the\ninterfaces between each such system and all other systems or\nnetworks, including those not operated by or under the control of the\nagency.\n3.c. The OIG generally agrees with the CIO on the number of agency          No\nowned systems.\n3.d. The OIG generally agrees with the CIO on the number of                 Yes\ninformation systems used or operated by a contractor of the agency or\nother organization on behalf of the agency.\n3.e. The agency inventory is maintained and updated at least annually.      No\n\nFISMA requires agencies to develop and maintain an inventory of major information systems\noperated by or under control of the agency. The inventory must include an identification of the\ninterfaces between each such system and all other systems or networks, including those not\noperated by or under the control of the agency, and must be updated at least annually. The\ninventory shall also be used to support information resources management.\n\nMD and Handbook 12.5 assign the NRC Chief Information Officer (CIO) responsibility for\ndeveloping and maintaining a master inventory of all agency systems. MD and Handbook 2.1,\nInformation Technology Architecture, assign the NRC CIO responsibility for developing,\nmaintaining, and implementing the NRC Information Technology Architecture. The agency\nmaintains two inventories, the Information Technology Systems Security Tracking System\n(ITSSTS) and the Enterprise Architecture Repository System (EARS), to meet the requirements\noutlined in MD and Handbooks 12.5 and 2.1, respectively.\n\nWhile FISMA only requires agencies to maintain an inventory of major information systems\n(major applications and general support systems), NRC also includes two other types of systems\nin its inventories.\n\n      \xe2\x80\xa2   Listed \xe2\x80\x93 a computerized information system or application that (1) processes sensitive\n          information requiring additional security protections and (2) may be important to an NRC\n\n\n\n                                                 12\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n       office\xe2\x80\x99s or region\xe2\x80\x99s operations, but which is not a major application or general support\n       system when viewed from an agency perspective. Sensitive data may include individual\n       Privacy Act information, law enforcement sensitive information, sensitive contractual\n       and financial information, safeguards, and classified information.\n   \xe2\x80\xa2   Other \xe2\x80\x93 an NRC system that does not require additional security protections and is\n       adequately protected by the security provided by the NRC local area network/wide area\n       network.\n\nCarson Associates found that the agency\xe2\x80\x99s inventory is only 51-70 percent completed because\n(1) information in both ITSSTS and EARS is inaccurate and inconsistent and (2) only EARS\ncontains information on system interfaces and that information is also inaccurate and\ninconsistent. Carson Associates generally agrees with the CIO on the number of agency owned\nmajor applications and general support systems, but does not agree with the CIO on the number\nof agency owned systems in the listed and other categories. Carson Associates also found that\nthe agency\xe2\x80\x99s inventory is not maintained and updated at least annually.\n\nAs requested by the OIG, Carson Associates conducted a separate evaluation of the agency\xe2\x80\x99s\nautomated information system (AIS) inventory process. The findings from this review were\nreported separately under OIG-05-A-22, Office of the Inspector General Evaluation of NRC\xe2\x80\x99s\nAutomated Information System Inventory Process. The report made seven recommendations to\nthe agency to improve its inventory process. The following is a summary of the findings from\nthe evaluation of NRC\xe2\x80\x99s AIS inventory process.\n\nThe evaluation of the agency\xe2\x80\x99s AIS inventory process found that (1) information in NRC AIS\ninventories is inaccurate and inconsistent and (2) NRC AIS inventory systems are not designed\nto capture all of the data needed to meet FISMA requirements. The information in NRC AIS\ninventories is inaccurate and inconsistent because the procedures for maintaining and updating\nAIS inventories are inadequate. Specifically, the agency (1) lacks procedures for updating AIS\ninventories with information collected from office directors, regional administrators, and system\nsponsors/owners, (2) provides insufficient guidance to office directors, regional administrators,\nand system sponsors/owners when requesting information for the AIS inventories, (3) lacks\nprocedures for adding new systems to the AIS inventories, and (4) lacks procedures for updating\ninformation for systems already in the inventory. The lack of adequate procedures not only\nresults in the inaccurate and inconsistent data, but also results in duplicative efforts for NRC\noffices.\n\nAs a result of inaccurate and inconsistent data in the AIS inventories, the agency lacks a\ncomplete understanding of what AISs are currently in use, and therefore cannot support two of\nthe five areas of information resources management specified by FISMA. Without an accurate\nAIS inventory, the agency cannot adequately plan, budget, acquire, and manage information\ntechnology without first knowing what information technology is currently in place. The agency\nalso cannot adequately monitor, test, and evaluate security controls for AIS as required by\nFISMA.\n\nNeither ITSSTS nor EARS were designed to capture all of the data needed to fully meet\nFISMA\xe2\x80\x99s requirement to develop an inventory of major information systems that shall be used to\n\n\n                                                13\n\x0c                                                                              Independent Evaluation of\n                                                               NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nsupport information resources management. For example, only one inventory system captures\nthe data needed to indicate which systems include Privacy Act data, and not all systems that\ninclude Privacy Act data are correctly identified. Therefore the agency cannot provide effective\nprivacy protections, and cannot test and evaluate those protections, if it cannot identify which\nsystems contain Privacy Act data. In addition, neither inventory system captures the data needed\nto support (1) preparation and maintenance of the inventory of information resources required to\nsupport the Government Information Locator Service, (2) preparation of the index of major\ninformation systems required under the Freedom of Information Act, and (3) preparation of\ninformation system inventories required for records management.\n\n3.5      E-Authentication\n\nFY 2005 FISMA Reporting Template for Inspectors General Questions 3.f\n\n3.f. The agency has completed system e-authentication risk               No\nassessments.\n\nIn FY 2004, the agency stated that it had begun assessing systems for e-authentication risk in\naccordance with OMB M-04-04. A contract was awarded in the 3rd Quarter FY 2004 and the\nagency stated that it was on track to meet the December 15, 2004, deadline for classifying all\nmajor applications. OMB M-04-04 required all systems classified as \xe2\x80\x9cmajor\xe2\x80\x9d to implement the\nguidance by December 15, 2004, and the remaining systems to implement the guidance by\nSeptember 15, 2005. New systems are required to implement the guidance within 90 days of the\ncompletion of the final e-authentication technical guidance issued by NIST (NIST issued the\nfinal guidance in June 2004).\n\nE-Authentications Are Incorrect and Inconsistent\n\nDespite these requirements, and the agency\xe2\x80\x99s previous statement that it was on track to meet the\nDecember 15, 2004, deadline for classifying all major applications, Carson Associates found that\ne-authentication risk assessments have been completed for only 6 of the agency\xe2\x80\x99s 27 operational\nsystems. The agency stated that e-authentication risk assessments will be supported under the\ninterim Information Systems Security contract awarded August 11, 2005, and are expected to be\ncompleted by December 15, 2005. Carson Associates reviewed the completed e-authentication\nrisk assessments and found them to be incorrect and inconsistent with the systems\xe2\x80\x99 FIPS 199\nsecurity categorizations. For example, in some instances, the e-authentication assurance level\nwas incorrectly determined based on the impact levels assigned to the six categories of harm and\nimpact defined in OMB M-04-04. In other instances, the impact levels assigned to the six\ncategories of harm and impact are not consistent with the FIPS 199 security categorizations of\nthe systems.\n\nRECOMMENDATIONS\n\n      The Office of the Inspector General recommends that the Executive Director for Operations:\n\n      8. Review and update the six completed e-authentication risk assessments to correct\n         inaccuracies and inconsistencies with FIPS 199 security categorizations.\n\n\n                                                14\n\x0c                                                                                  Independent Evaluation of\n                                                                   NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n      9. Develop and implement a plan for completing the remaining e-authentication risk\n         assessments.\n\n3.6       Assessment of the POA&M Process\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 4\n\n4.a. The POA&M is an agency wide process, incorporating all                  Almost Always, for\nknown IT security weaknesses associated with information systems             example, approximately\nused or operated by the agency or by a contractor of the agency or           96-100% of the time\nother organization on behalf of the agency.\n4.b. When an IT security weakness is identified, program officials           Almost Always, for\n(including CIOs, if they own or operate a system) develop,                   example, approximately\nimplement, and manage POA&Ms for their system(s).                            96-100% of the time\n4.c. Program officials, including contractors, report to the CIO on a        Almost Always, for\nregular basis (at least quarterly) on their remediation progress.            example, approximately\n                                                                             96-100% of the time\n4.d. CIO centrally tracks, maintains, and reviews POA&M activities           Almost Always, for\non at least a quarterly basis.                                               example, approximately\n                                                                             96-100% of the time\n4.e. OIG findings are incorporated into the POA&M process.                   Almost Always, for\n                                                                             example, approximately\n                                                                             96-100% of the time\n4.f. POA&M process prioritizes IT security weaknesses to help                Almost Always, for\nensure significant IT security weaknesses are addressed in a timely          example, approximately\nmanner and receive appropriate resources.                                    96-100% of the time\n\nNRC has two primary tools for tracking IT security weaknesses associated with information\nsystems used or operated by the agency or by a contractor of the agency or other organization on\nbehalf of the agency. At a high level, NRC uses the POA&Ms submitted to OMB to track\ncorrective actions from the OIG annual independent evaluation and the agency\xe2\x80\x99s annual review.\nThe POA&Ms may also include corrective actions resulting from other security studies\nconducted by or on behalf of NRC.\n\nAt a more detailed level, NRC uses the ITSSTS to track the progress of more specific corrective\nactions, such as those resulting from risk assessments, security test and evaluation associated\nwith the certification and accreditation process, and contingency plan testing.\n\nThe FY 2004 FISMA independent evaluation found that the agency\xe2\x80\x99s corrective action tracking\nprocess needed further improvement. Specifically, findings and recommendations resulting from\nsecurity reviews and testing are not consistently being tracked and the agency\xe2\x80\x99s POA&M needed\nimprovement. To address these weaknesses, the agency performed the following corrective\nactions.\n\n      \xe2\x80\xa2   The agency developed templates for risk assessments, security plans, security test and\n          evaluation reports, and contingency plan test reports that include a section or sections that\n\n\n                                                   15\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n       specifically identify action items resulting from the certification and accreditation process\n       that should be tracked in ITSSTS. The templates and instructions for their use are\n       available on the NRC IT security Web page. The agency also requires that the system\n       certification package contain a spreadsheet of the plan to resolve issues identified during\n       the certification process. This requirement is also presented on the IT security Web page.\n   \xe2\x80\xa2   The agency reports corrected weaknesses on the POA&Ms for a year after their\n       completion.\n   \xe2\x80\xa2   The agency includes a completion date in the Status column of the POA&Ms.\n\nIn addition to improving its corrective action tracking progress, the agency has also made some\nprogress in correcting weaknesses reported on its POA&Ms. The agency has corrected 66\npercent of its program level weaknesses; however the agency has corrected only 7 percent of its\nsystem level weaknesses. The majority of delays have been caused by delays in completing\ncertifications and accreditations, as described later in this report in Section 3.7.\n\nIn assessing the agency\xe2\x80\x99s POA&M process, Carson Associates also found that the agency is not\nalways following OMB\xe2\x80\x99s POA&M guidance and that the metrics submitted to OMB often\ndeviated from the actual POA&Ms.\n\nNRC Has Made Some Progress in Correcting Weaknesses Reported on Its POA&Ms\n\nThe agency carried over a total of 2 program level and 12 system level weaknesses from FY\n2004 into FY 2005. The following tables provide statistics from the three FY 2005 POA&Ms\nthe agency has submitted to OMB.\n\n                        Table 3-6. Program Level POA&Ms Statistics\n                                                                                           # For Start\n            # At Start of                      #\n Quarter                         # New                    # On-going       # Delayed         of Next\n              Quarter                       Completed\n                                                                                            Quarter\n Q1               2                10            3             7                2                9\n Q2               9                0             3             4                2                6\n Q3               6                0             2             2                2                4\n\n                            Table 3-7. System Level POA&Ms Statistics\n                                                                                           # For Start\n             # At Start of                     #\n Quarter                          # New                    # On-going      # Delayed         of Next\n               Quarter                      Completed\n                                                                                             Quarter\n Q1               12               78            5             80                5              85\n Q2               85               38            1             82               40             122\n Q3              122               10            3             51               78             129\n\nThe following table summarizes the total number of weaknesses included in the FY 2005\nPOA&Ms, the total number of corrective actions the agency has reported as completed, the total\nnumber of corrective actions that are still on-going, and the number of corrective actions whose\ncompletion has been delayed.\n\n\n\n                                                16\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n             Table 3-8. Summary of FY 2005 POA&Ms Through the 3rd Quarter\n                         Total #         Total #         Total #        Total #          %\n                       Weaknesses       Completed       On-going        Delayed       Completed\n       Program Level         12              8              2               2             66%\n       System Level         138              9             51              78             7%\n\nThe Agency Is Not Always Following OMB\xe2\x80\x99s POA&M Guidance\n\nAs stated previously, the agency is not always following OMB\xe2\x80\x99s POA&M guidance. The\nfollowing are some examples of deviations from OMB\xe2\x80\x99s POA&M guidance found on the 2nd\nQuarter FY 2005 POA&Ms.\n\n   \xe2\x80\xa2    A system level weakness was completely changed from the previous quarter. Data in the\n        Weakness, Scheduled Completion Date, and Milestones with Completion Dates columns\n        was changed. OMB guidance states that these columns should not be modified.\n   \xe2\x80\xa2    Eight weaknesses had changes in the Scheduled Completion Date column. This column\n        should not be modified.\n   \xe2\x80\xa2    A system level weakness had comments added to the Milestones with Completion Dates\n        column. This column should not be modified.\n   \xe2\x80\xa2    Five system level weaknesses had minor modifications to dates in the Milestones with\n        Completion Dates column. For example, a date in the format \xe2\x80\x9cMay 2005\xe2\x80\x9d was modified\n        to include the day of the week (e.g., 1-May-05). While this column should not be\n        modified, the changes did not result in a change in a completion date.\n   \xe2\x80\xa2    Two system level weaknesses had modifications to dates in the Milestones with\n        Completion Dates column to correct typographical errors identified in a previous quarter\n        (the year was incorrect in the previous quarter). The dates were also modified to include\n        the day of the week. While this column should not be modified, the changes were to\n        correct a typographical error. However, in both cases, one milestone date was also\n        modified.\n   \xe2\x80\xa2    One system level weakness had a milestone date in the 1st Quarter FY 2005 POA&Ms of\n        31-Jan-05. On the 2nd Quarter FY 2005 POA&Ms, the date was 08-Dec-04, which is a\n        date that has already passed. Milestone dates for ongoing or delayed tasks should not be\n        modified to a date that has already passed.\n\nCarson Associates also found similar deviations from OMB\xe2\x80\x99s POA&M guidance on the 3rd\nQuarter FY 2005 POA&Ms. While the agency is not always following OMB\xe2\x80\x99s POA&M\nguidance, the agency is using the POA&Ms to track all known security weaknesses. Program\nofficials report to the CIO on a quarterly basis on their remediation process. In some cases,\nprogram officials are required to report to the CIO on a monthly basis.\n\nMetrics Submitted to OMB Deviate from the Actual POA&Ms\n\nIn addition to the deviations from OMB\xe2\x80\x99s POA&M guidance, Carson Associates also found\ndiscrepancies between the metrics submitted to OMB and the actual POA&Ms. However, the\n\n\n                                                 17\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\ndiscrepancies in the metrics are not significant enough to report as a weakness and are due, in\npart, to the large number of weaknesses being tracked on the agency\xe2\x80\x99s POA&Ms.\n\n3.7       Assessment of the Certification and Accreditation Process\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 5\n\n5. Assess the overall quality of the Department's certification and        Poor\naccreditation process.\n\nThe FY 2004 FISMA independent evaluation found that the agency\xe2\x80\x99s certification and\naccreditation process needed improvement. Specifically, the agency needed to develop\nprocesses for (1) ensuring security documentation supporting system certification and\naccreditation is consistent with NIST guidelines, (2) ensuring security protection requirements\n(confidentiality, integrity, availability) are consistently defined in security plans and self-\nassessments, and (3) ensuring security test and evaluation in support of certification and\naccreditation is comprehensive and independent. To address these weaknesses, the agency\nperformed the following corrective actions.\n\n      \xe2\x80\xa2   The agency developed templates for risk assessments, security plans, security test and\n          evaluation plans, security test and evaluation reports, contingency plans, and contingency\n          plan test reports. The templates and instructions for their use are available on the NRC\n          IT security Web page. The templates were developed to ensure security documentation\n          supporting system certification and accreditation is consistent with NIST guidelines.\n      \xe2\x80\xa2   The agency modified the security plan template and the NRC version of the NIST SP\n          800-26 self-assessment to ensure security protection requirements (confidentiality,\n          integrity, and availability) are consistently defined.\n      \xe2\x80\xa2   The agency developed standard templates and instructions on their use for the security\n          test and evaluation process. The templates and instructions are available on the NRC IT\n          security Web page. The templates were developed to ensure security test and evaluation\n          in support of certification and accreditation is comprehensive and independent.\n\nDespite the improvements in the agency\xe2\x80\x99s certification and accreditation process, Carson\nAssociates found that the majority of the agency\xe2\x80\x99s operational information systems operating\nunder an IATO and therefore are not considered certified and accredited. As stated previously,\nonly 8 of the 27 operational NRC information systems have full authorization to operate (i.e.,\nthey have a current certification and accreditation). As a result, the OIG requested Carson\nAssociates to undertake an overall review of the NRC\xe2\x80\x99s certification and accreditation efforts.\nThe findings from this review were reported separately under OIG-05-A-20, Office of the\nInspector General Evaluation of NRC\xe2\x80\x99s Certification and Accreditation Efforts. The report\nmade two recommendations to the agency to improve certification and accreditation efforts. The\nfollowing is a summary of the findings from the evaluation of NRC\xe2\x80\x99s certification and\naccreditation efforts.\n\n\n\n\n                                                  18\n\x0c                                                                                          Independent Evaluation of\n                                                                           NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nNRC\xe2\x80\x99s general support systems have not had a complete certification and accreditation\nperformed in the past 3 years. Therefore the agency does not know whether the security controls\nfor these general support systems are adequate, creating unknown potential risk. As a result, all\nNRC information systems that depend on the security controls provided by these general support\nsystems inherit that unknown potential risk. The majority of NRC information systems are not\ncertified and accredited because (1) the certification and accreditation has lapsed or was never\ncompleted and (2) NRC information systems are being re-certified and re-accredited using new\nNIST requirements.9 As a result, potential risks to agency information systems are unknown.\n\n3.8        Agency Security Configuration Policy\n\nFY 2005 FISMA Reporting Template for Inspectors General Questions 6.a, 6.b\n\n6.a. Is there an agency wide security configuration policy?                          Yes\n6.b. Are configuration guides available for the products listed in the               Yes\nFY 2005 FISMA Reporting Template?\n\nThe agency has implemented several policies that address security configurations and their\nimplementation. In May 2003, the agency developed the NRC System Security Baseline\nImplementation Plan, with an objective to establish, develop, implement, maintain, and verify\nsecure baseline configurations for all information systems. The NRC program is primarily based\non the Center for Internet Security\xe2\x80\x99s benchmarks and scoring tools. NRC personnel compiled\nand researched recommended \xe2\x80\x9cbest practice\xe2\x80\x9d technical settings and actions and developed \xe2\x80\x9cin\nhouse\xe2\x80\x9d benchmarks for those platforms for which a benchmark has yet to be developed. The\nfollowing platforms were the focus of the initiative:\n\n      \xe2\x80\xa2    Microsoft NT\n      \xe2\x80\xa2    Microsoft Windows 2000\n      \xe2\x80\xa2    Novell NetWare\n      \xe2\x80\xa2    Sun Solaris\n      \xe2\x80\xa2    IBM AIX\n      \xe2\x80\xa2    Linux\n\nThe scope of the plan is all NRC systems running operating systems listed above and includes all\nsystems that are currently in an \xe2\x80\x9cactive\xe2\x80\x9d state and are components of the primary NRC network.\nSubsequent to the implementation of the System Security Baseline Implementation Plan, the\nagency has begun using the following additional benchmarks and configuration guides.\n\n      \xe2\x80\xa2    Windows 2003 Domain Controllers and Member Servers (Center for Internet Security)\n      \xe2\x80\xa2    Microsoft Internet Information Server (National Security Agency)\n\n9\n    NRC information systems are being re-certified and re-accredited in accordance with the minimum security\n    controls for information systems defined in NIST SP 800-53, Recommended Security Controls for Federal\n    Information Systems.\n\n\n                                                          19\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n      \xe2\x80\xa2   Microsoft SQL Server (National Security Agency)\n      \xe2\x80\xa2   Router security configuration guide (National Security Agency)\n      \xe2\x80\xa2   CISCO router Internet operating system (Center for Internet Security)\n      \xe2\x80\xa2   CISCO PIX firewall (Center for Internet Security)\n      \xe2\x80\xa2   HP-UX (Center for Internet Security)\n      \xe2\x80\xa2   Apache (Center for Internet Security)\n      \xe2\x80\xa2   Oracle (Center for Internet Security)\n\nOracle and Apache are currently not in production and are being tested for planned future\nproduction use. Hardening guidelines for Microsoft Internet Information Server are included\nwith the Windows 2000/2003 configuration guides. The agency also uses Sybase, for which no\nspecific configuration guides exist. However, the agency followed best practices and product\nguidelines from the vendor.\n\nThe Office of Information Services (OIS) has recently posted requirements on the NRC internal\nIT security Web page for the use of hardening specifications developed by the Center for Internet\nSecurity for all systems using Windows Server 2003 and Red Hat Linux. All deviations from the\nspecification must be justified. Areas where the specification says: \xe2\x80\x9cif absolutely necessary\xe2\x80\x9d\nrequire justification of the \xe2\x80\x9cabsolutely necessary\xe2\x80\x9d use of the feature. The same applies to the\n\xe2\x80\x9cdisable if possible\xe2\x80\x9d areas (justify not disabling).\n\nFor desktops, NRC has developed a standard image for Windows XP that is based on NIST best\npractices. All desktops at NRC were upgraded to Windows XP in the past year. NRC uses\nworkstation upgrades that are \xe2\x80\x9cpushed\xe2\x80\x9d at login to keep desktop configurations consistent across\nNRC. LANDesk can also be used to push upgrades to the desktops. NRC Announcements are\nused to announce agency workstation updates. The announcements describe the nature of the\nupgrade and that it will occur using an automated procedure that will occur during network login.\nThe announcement includes, as an attachment, the schedule of when the upgrade will take place\nfor each office in NRC.\n\nNRC has also developed system security screening guidelines for preparing new systems for\nimplementation into the NRC production operating environment. The security screening ensures\nthat the system configuration meets NRC network security requirements. The guidelines outline\nthe steps necessary to request and perform the security screening process, guidance on managing\nand developing a secure system, and industry best practices and additional resources.\n\n3.9       Incident Detection and Handling Procedures\n\nFY 2005 FISMA Reporting Template for Inspectors General Question 7\n\n7.a. The agency follows documented policies and procedures for            Yes\nidentifying and reporting incidents internally.\n\n\n\n\n                                                  20\n\x0c                                                                                           Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n7.b. The agency follows documented policies and procedures for                        Yes\nexternal reporting to law enforcement authorities.\n7.c. The agency follows defined procedures for reporting to the                       Yes\nUnited States Computer Emergency Readiness Team (US-CERT).\n\nNRC\xe2\x80\x99s Information Systems Security Incident Response Procedures (MD and Handbook 12.5\nAppendix B) formalizes the agency\xe2\x80\x99s procedures for monitoring, detecting, reporting, and\nresponding to information systems security incidents, and includes procedures for reporting\nincidents internally, for external reporting to law enforcement, and for reporting to the United\nStates Computer Emergency Readiness Team (US-CERT).10 The most current version of the\nincident response procedures are maintained on the agency\xe2\x80\x99s IT Web site.\n\nThe document defines the roles and responsibilities for reporting and responding to information\nsystems security incidents. When criminal activity is suspected or confirmed, the procedures\nassign the OIG responsibility for contacting and coordinating the response with law enforcement\nofficials.\n\n3.10       Security Awareness and Training\n\nFY 2005 FISMA Reporting Template for Inspectors General Questions 8, 9\n\n8. Has the agency ensured security training and awareness of all                      Mostly, or approximately\nemployees, including contractors and those employees with                             81-95% of employees\nsignificant IT security responsibilities?                                             have sufficient training\n9. Does the agency explain policies regarding peer-to-peer file                       Yes\nsharing in IT security awareness training, ethics training, or any\nother agency wide training?\n\nAll new NRC employees (including contractors, interns, and summer hires) are required to\nattend orientation the first day they report for duty. During the orientation a brief presentation is\nmade by a member of the OIS, Program Management, Policy Development, and Analysis Staff,\nComputer Security Team, which includes a discussion on appropriate use of information\ntechnology equipment. In addition, a member of the Office of the General Counsel also presents\na section on ethics which includes additional discussions on appropriate use of the Internet.\n\nAll employees, including contractors, are required to take the on-line Computer Security\nAwareness course as soon as they receive a network UserID and every year thereafter. OIS\nmaintains a database of personnel who have taken the security awareness course and cross\nchecks the list on a regular basis with an employee list provided by NRC Human Resources. A\nmember of the Computer Security Team sends a message to offices around the first of the month\nreminding them to have their employees take the course. Information System Security Officers\nmust sign an acknowledgement of their responsibilities when taking the position and are required\nto take an on-line Information System Security Officer training course in addition to the on-line\nComputer Security Awareness course.\n10\n      The procedures actually reference reporting to the Federal Computer Incident Response Center, which was\n     replaced with the US-CERT when the Department of Homeland Security was established.\n\n\n                                                          21\n\x0c                                                                                         Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\nNRC meets the Office of Personnel Management (OPM) requirement to expose employees to\nsecurity awareness materials at least annually by (1) mandating all NRC staff take the NRC\nComputer Security Awareness course annually and by documenting who takes the annual\ntraining, (2) using posters, flyers, Web pages, NRC Yellow Announcements,11 NRC\nAnnouncements,12 and articles/notices in the NRC monthly newsletter to keep computer security\non everyone\xe2\x80\x99s mind throughout the year, and (3) by holding the Annual NRC Computer Security\nAwareness Day event.\n\nThe agency is in the process of developing a computer security awareness and training program\nplan to fully implement the requirements outlined in OMB Circular A-130, Management of\nFederal Resources, Appendix III, Security of Federal Automated Information Resources,\nFISMA, MD and Handbook 12.5, and OPM\xe2\x80\x99s final regulations concerning information\ntechnology security awareness (5 CFR Part 930, Subpart C, effective June 14, 2004).\n\nAgency staff and contractors are advised of the dangers of peer-to-peer applications during their\nannual Web-based security training. The on-line Computer Security Awareness course includes\na discussion of the dangers of peer-to-peer applications such as instant messaging. Current\nagency policy does not explicitly prohibit peer-to-peer applications, however the agency is\nblocking sites that support the unauthorized reproduction of copyrighted material, i.e., peer-to-\npeer and file sharing Web sites.\n\nAgency Lacks Procedures for Ensuring Employees With Significant IT Security\nResponsibilities Receive Security Training and Awareness\n\nThe agency stated that it had difficulty in gathering the information needed to report on the total\nnumber of employees with significant IT security responsibilities, the number of those\nemployees who have received specialized training as described in NIST SP 800-16, Information\nTechnology Security Training Requirements: A Role- and Performance-Based Model, and the\ntotal costs for providing IT training. The agency\xe2\x80\x99s training system does not identify which\nemployees have significant IT security responsibilities and what courses are considered related to\nIT security. The agency gathered its data by asking each office and region to identify staff in\ntheir offices with significant IT security responsibilities, describe any training that is related to IT\nsecurity that those staff members have taken, and the cost of that training. The agency\xe2\x80\x99s training\nsystem also does not account for any training the employee may have taken on their own time.\n\n\n\n\n11\n    NRC Yellow Announcements (formerly Yellow Announcements) establish new policies, practices, or procedures;\n   introduce changes in policy, senior staff assignments, or organization; or address major agencywide events. These\n   announcements require signature and are retained as permanent records in ADAMS.\n12\n    NRC Announcements (formerly Network Announcements) communicate information of major significance or\n   interest to agency employees, as well as urgent or time-sensitive information. These announcements do not\n   require signature.\n\n\n                                                         22\n\x0c                                                                               Independent Evaluation of\n                                                                NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\nRECOMMENDATION\n\n   The Office of the Inspector General recommends that the Executive Director for Operations:\n\n   10. Develop and implement procedures for ensuring employees and contractors with\n       significant IT security responsibilities are identified, receive security awareness and\n       training, and the individual and associated training are readily identifiable.\n\n3.11   Agency Compliance with the Privacy Act\n\nAs part of the FY 2005 FISMA independent evaluation, the OIG asked Carson Associates to\nevaluate the agency\xe2\x80\x99s compliance with the Privacy Act. This request was made prior to OMB\xe2\x80\x99s\nissuance of the FY 2005 FISMA reporting guidelines, which also include a requirement to report\non implementation of the Privacy Act. Carson Associates met with the agency\xe2\x80\x99s Privacy\nProgram Officer and Web services representatives, and reviewed applicable agency policies,\nprocedures, correspondence, and directives. Carson Associates used the questions found in the\nOMB Reporting Template for Senior Agency Officials for Privacy as guidance in performing the\nevaluation. Carson Associates found that controls for ensuring sufficient protections for privacy\nof personnel information as set forth in the E-Government Act are effective and that the agency\nis in compliance with the provisions of the Privacy Act.\n\n\n\n\n                                                23\n\x0c                                            Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              24\n\x0c                                                                                Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n4      Consolidated List of Recommendations\n\nThe Office of the Inspector General recommends that the Executive Director for Operations:\n\n    1. Categorize all NRC information systems, including systems operated by a contractor or\n       other organization on behalf of the agency, in accordance with FIPS 199.\n    2. Complete annual self-assessments for FY 2006 no later than August 1, 2006 and\n       thereafter.\n    3. Develop and implement procedures to ensure contingency plans are tested annually,\n       regardless of the status of the systems\xe2\x80\x99 certification and accreditation.\n    4. Maintain current copies of certification and accreditation memoranda for systems\n       provided by other Federal agencies.\n    5. Maintain current copies of self-assessments for systems provided by other Federal\n       agencies.\n    6. Maintain current copies of annual contingency plan testing results for systems provided\n       by other Federal agencies.\n    7. Develop and implement procedures for performing oversight of major applications and\n       general support systems operated by a contractor or other organization on behalf of the\n       agency.\n    8. Review and update the six completed e-authentication risk assessments to correct\n       inaccuracies and inconsistencies with FIPS 199 security categorizations.\n    9. Develop and implement a plan for completing the remaining e-authentication risk\n       assessments.\n    10. Develop and implement procedures for ensuring employees and contractors with\n        significant IT security responsibilities are identified, receive security awareness and\n        training, and the individual and associated training are readily identifiable.\n\n\n\n\n                                                 25\n\x0c                                                                             Independent Evaluation of\n                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n5      OIG Response to Agency Comments\n\nOIG provided this report in draft to agency officials and discussed its content at an exit\nconference on September 22, 2005. We modified the report as we determined appropriate in\nresponse to our discussion. Agency officials generally agreed with the report\xe2\x80\x99s findings and\nrecommendations and opted not to include formal comments.\n\n\n\n\n                                               26\n\x0c                                                                 Appendix A \xe2\x80\x93 Scope and Methodology\n                                                                            Independent Evaluation of\n                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\nSCOPE AND METHODOLOGY\n\nThe scope of this independent evaluation of NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\nincluded:\n\n   \xe2\x80\xa2   NRC\xe2\x80\x99s AIS security program as described in MD an Handbook 12.5\n   \xe2\x80\xa2   NRC\xe2\x80\x99s implementation of the Privacy Act\n\nTo conduct the independent evaluation, the independent evaluation team met with agency staff\nresponsible for implementing the agency\xe2\x80\x99 AIS security program, reviewed certification and\ndocumentation for the agency\xe2\x80\x99s operational information systems, and reviewed other\ndocumentation provided by the agency that demonstrated their implementation of FISMA.\n\nAll analyses were performed in accordance with guidance from the following:\n\n   \xe2\x80\xa2   National Institute of Standards and Technology standards and guidelines\n   \xe2\x80\xa2   Nuclear Regulatory Commission Management Directive and Handbook 12.5, NRC\n       Automated Information Systems Security Program\n   \xe2\x80\xa2   NRC Office of the Inspector General audit guidance\n\nThis work was conducted between March 2005, and September 2005. The work was conducted\nby Jane M. Laroussi, CISSP; Diane Reilly; Kelby M. Funn, CISA; and S.J. Dobbs, CISA, from\nRichard S. Carson and Associates, Inc.\n\n\n\n\n                                              27\n\x0c                                  Appendix A \xe2\x80\x93 Scope and Methodology\n                                             Independent Evaluation of\n                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              28\n\x0c                                                     Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                                           Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\nOFFICIAL USE ONLY PAGE REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                              29\n\x0c                                                     Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                                           Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\nOFFICIAL USE ONLY PAGE REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                              30\n\x0c                                                     Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                                           Independent Evaluation of\n                                                         NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\nOFFICIAL USE ONLY PAGE REDACTED FOR PUBLIC RELEASE\n\n\n\n\n                                              31\n\x0c                                  Appendix B \xe2\x80\x93 Status of Contingency Plan Testing\n                                                        Independent Evaluation of\n                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n              32\n\x0c                                                                                                                Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                                                                                   Independent Evaluation of\n                                                                                                                                   NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\n\n                                                                                        Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                                               Agency Name:\n\n\n\n\n                                                                                                              Question 1 and 2\n\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n\n\n            To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n            1) Continue to use NIST Special Publication 800-26, or,\n            2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n\n            Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\n            requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n\n\n2. For each part of this question, identify actual performance in FY 05 by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the number of systems\nwhich have completed the following: have a current certification and accreditation , a contingency plan tested within the past year, and security controls tested within the past year.\n\n\n\n\n                                                                                                  Question 1                                                                                Question 2\n                                                                        a.                            b.                             c.                            a.                         b.                         c.\n                                                               FY 05 Agency Systems            FY 05 Contractor            FY 05 Total Number of         Number of systems         Number of systems for Number of systems for which\n                                                                                                   Systems                        Systems              certified and accredited    which security controls contingency plans have been\n                                                                                                                                                                                    have been tested and     tested in accordance with\n                                                                                                                                                                                  evaluated in the last year    policy and guidance\n\n\n\n\n                                    FIPS 199 Risk Impact         Total        Number          Total        Number                        Number         Total        Percent of      Total        Percent of\nBureau Name                                 Level               Number       Reviewed        Number       Reviewed       Total Number   Reviewed       Number          Total        Number          Total       Total Number Percent of Total\nNRC                                   High                               4               0            0              0              4              0            1     #DIV/0!                2     #DIV/0!                   0     #DIV/0!\n                                      Moderate                           4               0            0              0              4              0            0     #DIV/0!                2     #DIV/0!                   1     #DIV/0!\n                                      Low                                0               0            0              0              0              0            0     #DIV/0!                      #DIV/0!                   0     #DIV/0!\n                                      Not Categorized                   19               0            7              0             26              0           10     #DIV/0!               17     #DIV/0!                   5     #DIV/0!\n                                   Sub-total                            27               0            7              0             34              0           11     #DIV/0!               21     #DIV/0!                   6     #DIV/0!\nBureau                                High                                                                                          0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0              0            0     #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0              0            0     #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0              0            0     #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0              0            0     #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0              0            0     #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0              0            0     #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0              0                  #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0              0            0     #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nAgency Totals                          High                              4               0            0              0              4              0            1     #DIV/0!                 2    #DIV/0!                   0     #DIV/0!\n                                      Moderate                           4               0            0              0              4              0             0    #DIV/0!                 2    #DIV/0!                   1     #DIV/0!\n                                      Low                                0               0            0              0              0              0             0    #DIV/0!                 0    #DIV/0!                   0     #DIV/0!\n                                      Not Categorized                   19               0            7              0             26              0            10    #DIV/0!                17    #DIV/0!                   5     #DIV/0!\n                                   Total                                27               0            7              0             34              0           11     #DIV/0!               21     #DIV/0!                   6     #DIV/0!\n\n\n\n\n                                                                                                                     33\n\x0c                                                                                                                   Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                                                                                      Independent Evaluation of\n                                                                                                                                      NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n                                                                                                                    Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n\n\n\n                                    The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the\n                                    agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                                    national security policy, and agency policy. Self-reporting of NIST Special Publication 800-26 requirements by a contractor\n                                    or other organization is not sufficient, however, self-reporting by another Federal agency may be sufficient.\n\n                                    Response Categories:\n                 3.a.                                                                                                                                              - Mostly, for example, approximately 81-95% of the time\n                                         - Rarely, for example, approximately 0-50% of the time\n                                         - Sometimes, for example, approximately 51-70% of the time\n                                         - Frequently, for example, approximately 71-80% of the time\n                                         - Mostly, for example, approximately 81-95% of the time\n                                         - Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                    The agency has developed an inventory of major information systems (including major national security systems) operated\n                                    by or under the control of such agency, including an identification of the interfaces between each such system and all other\n                                    systems or networks, including those not operated by or under the control of the agency.\n\n                                    Response Categories:\n                 3.b.                    - Approximately 0-50% complete                                                                                                 - Approximately 51-70% complete\n                                         - Approximately 51-70% complete\n                                         - Approximately 71-80% complete\n                                         - Approximately 81-95% complete\n                                         - Approximately 96-100% complete\n\n\n\n\n                 3.c.               The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                      no\n\n\n\n                                    The OIG generally agrees with the CIO on the number of information systems\n                 3.d.               used or operated by a contractor of the agency or other organization on behalf of      the agency.                                                                Yes\n\n\n\n\n                 3.e.               The agency inventory is maintained and updated at least annually.                                                                                                 no\n\n\n\n\n                 3.f.               The agency has completed system e-authentication risk assessments.                                                                                                Yes\n\n\n                                                                                                                    Question 4\n\n\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the\nfollowing statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n\n\n                                    The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information\n                 4.a.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n\n\n                                    When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                 4.b.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    implement, and manage POA&Ms for their system(s).\n\n\n\n                                    Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation\n                 4.c.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    progress.\n\n\n\n                 4.d.               CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                   - Almost Always, for example, approximately 96-100% of the time\n\n\n                 4.e.               OIG findings are incorporated into the POA&M process.                                                                          - Almost Always, for example, approximately 96-100% of the time\n\n\n                                    POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a\n                 4.f.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    timely manner and receive appropriate resources\n\nComments: NRC has two primary tools for tracking IT security weaknesses. At a high level, NRC uses the POA&M submitted to OMB to track corrective actions from the OIG annual independent evaluation, and the agency\xe2\x80\x99s annual\nreview. The POA&M may also include corrective actions resulting from other security studies conducted by or on behalf of NRC. At a more detailed level, NRC uses an internal system to track the progress of more specific corrective\nactions, such as those resulting from risk assessments, security test and evaluation associated with the certification and accreditation process, and contingency plan testing.\n\n\n\n\n                                                                                                                       34\n\x0c                                                                                                                 Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                                                                                    Independent Evaluation of\n                                                                                                                                    NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n                                                                                                                  Question 5\n\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This\nincludes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans .\n\n\n\n\n                                    Assess the overall quality of the Department's certification and accreditation process.\n\n                                    Response Categories:\n                                         - Excellent\n                                         - Good                                                                                                                  - Poor\n                                         - Satisfactory\n                                         - Poor\n                                         - Failing\n\n\n\nComments: See attached narrative.\n\n\n\n\n                                                                                                                      35\n\x0c                                                                                          Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                                                             Independent Evaluation of\n                                                                                                             NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n                                                                   Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                                        Agency Name:\n\n\n                                                                                         Question 6\n\n                        Is there an agency wide security configuration policy?\n       6.a.                                                                                                                                             Yes\n                        Yes or No.\n\n                        Comments:\n\n\n\n                        Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n       6.b.             Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on\n                        the systems running the software.\n\n\n\n\n                                                                                                                            Approximate the extent of implementation of the security\n                                                                                                                            configuration policy on the systems running the software.\n\n                                                                                                                            Response choices include:\n                                                                                                                            - Rarely, or, on approximately 0-50% of the\n                                                                                                                              systems running this software\n           Product                                                                                                          - Sometimes, or on approximately 51-70% of\n                                                                                                                              the systems running this software\n                                                                                                                            - Frequently, or on approximately 71-80% of\n                                                                  Addressed in agencywide\n                                                                                                                              the systems running this software\n                                                                          policy?              Do any agency systems        - Mostly, or on approximately 81-95% of the\n                                                                                                 run this software?           systems running this software\n                                                                                                                            - Almost Always, or on approximately 96-100% of the\n                                                                             Yes, No,                                       systems running this software\n                                                                              or N/A.                  Yes or No.\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows XP Professional\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows NT\n                                                                                 Yes                      Yes               systems running this software\n              Windows 2000 Professional\n                                                                                 N/A                      No\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows 2000 Server\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows 2003 Server\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Solaris\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              HP-UX\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Linux\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Cisco Router IOS\n                                                                                 Yes                      Yes               systems running this software\n              Oracle\n                                                                                 N/A                      No\n              Other. Specify: Novell, AIX, Sybase,                                                                                - Almost Always, or on approximately 96-100% of the\n              SQL Server, Cisco PIX, IIS, Apache                                 Yes                      Yes\n                                                                                                                            systems running this software\n\nComments: Oracle and Apache - configuration guides are available, but this software is currently not in production. Oracle and Apache are being tested for\nplanned future production use. IIS - hardening guidelines are included in the Windows 2000/2003 configuration guides. Sybase - no specific configuration\nguides exist, however the agency followed best practices and product guidelines from the vendor.\n                                                                                         Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                        The agency follows documented policies and procedures for identifying and reporting\n       7.a.             incidents internally.                                                                                                           Yes\n                        Yes or No.\n                        The agency follows documented policies and procedures for external reporting to law\n       7.b.             enforcement authorities.                                                                                                        Yes\n                        Yes or No.\n                        The agency follows defined procedures for reporting to the United States Computer\n       7.c.             Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                                      Yes\n                        Yes or No.\nComments:\n\n\n\n\n                                                                                            36\n\x0c                                                                           Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                                              Independent Evaluation of\n                                                                                              NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n                                                                          Question 8\n\n                 Has the agency ensured security training and awareness of all employees, including\n                 contractors and those employees with significant IT security responsibilities?\n\n                 Response Choices include:\n                 - Rarely, or, approximately 0-50% of employees have sufficient training\n                                                                                                        - Mostly, or approximately 81-95% of employees have sufficient\n         8        - Sometimes, or approximately 51-70% of employees have sufficient training           training\n                  - Frequently, or approximately 71-80% of employees have sufficient training\n                  - Mostly, or approximately 81-95% of employees have sufficient training\n                  - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n\n                                                                          Question 9\n\n\n\n                 Does the agency explain policies regarding peer-to-peer file sharing in IT security\n         9       awareness training, ethics training, or any other agency wide training?                                            Yes\n                 Yes or No.\n\n\n\n\nThe following supplemental information is provided in support of the Office of Management and\nBudget FY 2005 Federal Information Security Management Act (FISMA) Reporting Template\nfor Agency Inspectors General for the Nuclear Regulatory Commission (NRC). The\nindependent evaluation of NRC\xe2\x80\x99s implementation of FISMA for FY 2005 was conducted by\nRichard S. Carson and Associates, Inc. (Carson Associates) on the behalf of the NRC Office of\nthe Inspector General (OIG).\n\nQuestion 1a. NRC has a total of 30 production systems. Of the 30, 12 are general support\nsystems (all operational), and 18 are major applications (15 operational, 3 in development). As\nrequired by FISMA, the OIG selected five NRC operational systems for evaluation during the\nFY 2005 FISMA independent evaluation. However, during a status meeting with the agency, the\nOIG learned that the certification and accreditations of the systems chosen for evaluation had\neither expired and the systems were operating under an interim authorization to operate (IATO),\nor were due to expire in FY 2005, and that their re-certification and re-accreditation would not be\ncompleted before completion of the FY 2005 FISMA independent evaluation. Furthermore,\nthere were no other systems to substitute because they were either reviewed during the FY 2004\nFISMA independent evaluation, or had certification and accreditations that were due to expire\nbefore the end of the year. Without enough systems with current certification and accreditations,\nCarson Associates could not perform an evaluation of a representative subset of agency systems\nfor the FY 2005 FISMA independent evaluation.\n\nQuestion 1b. NRC has a total of seven systems operated by a contractor or other organization on\nbehalf of the agency (two major applications and five general support systems). Of the seven,\nthree are operated by other Federal agencies, two are operated by federally funded research and\ndevelopment centers, and two are operated by contractors supporting the agency. Carson\nAssociates did not review any of the seven systems operated by a contractor or other\norganization on behalf of the agency for evaluation during the FY 2005 FISMA independent\nevaluation, as there were no potential candidates to review. Of the seven, four13 were evaluated\n\n13\n     The FY 2004 FISMA independent evaluation included a review of three contractor operations and facilities.\n     These three contractor operations and facilities support a total of four agency systems operated by a contractor or\n     other organization on the behalf of the agency.\n\n\n                                                                              37\n\x0c                                                         Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                            Independent Evaluation of\n                                                                            NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\nduring the FY 2004 FISMA independent evaluation (three operated by other Federal agencies\nand one operated by a federally funded research and development center), and therefore were not\ncandidates for review in FY 2005. The other three systems operated by a contractor or other\norganization on behalf of the agency were not candidates for evaluation in FY 2005 because\nthere was not sufficient information available to perform an evaluation. The agency stated that\nin FY 2005 it would be performing self-assessments in accordance with NIST SP 800-26 on its\ncontractor systems. However, the self-assessments were not completed in time for inclusion in\nthe FY 2005 FISMA independent evaluation.\n\nQuestion 2. Since Carson Associates was unable to evaluate any of NRC\xe2\x80\x99s systems, the metrics\nin Question 2 represent the status for all NRC systems, not just a subset of systems.\n\nQuestion 2a. Of the 11 systems that are certified and accredited, 3 are systems operated by a\ncontractor or other organization on behalf of the agency. These three systems are operated by\nother Federal agencies. NRC presumes that the two Federal agencies that operate these systems\nare also following FISMA and guidelines from the National Institute of Standards and\nTechnology (NIST) (these agencies have not allowed NRC to conduct their own review).\nCarson Associates verified that there are agreements in place with the two Federal agencies\nproviding services to NRC and that the agreements include requirements to comply with\napplicable Federal and respective agency information systems security policies, mandates, and\ninstructions. However, the agency does not maintain copies of all certification and accreditation\ndocumentation for these systems. The other four systems operated by a contractor or other\norganization on behalf of the agency have not been certified and accredited.\n\nQuestion 2b. NRC meets the FISMA requirement to test and evaluate the security controls of\nagency information system by performing annual self-assessments on the systems. NRC\ndeveloped self-assessment templates for major applications and general support systems. For FY\n2005 NRC also developed a site self-assessment template for security assessments at regional\noffices, resident inspector sites, NRC locations other than headquarters and the regional offices,\nand contractor sites hosting NRC information systems. The NRC self-assessment templates are\nbased on NIST SP 800-26 and include references to NIST SP 800-53 to provide a general\nindication of control coverage. However, as of September 12, 2005, Carson Associates had only\nreceived self-assessments for 18 of the NRC\xe2\x80\x99s 27 operational systems.14 The first self-\nassessment was not received until September 2, 2005. Subsequent to completion of field work,\nthe agency provided self-assessments for the other nine operational systems. However, these\nself-assessments were not provided in time to review.\n\nOf the 21 systems that have had their security controls tested and evaluated in the last year, 3 are\nsystems operated by a contractor or other organization on behalf of the agency. These three\nsystems are operated by other Federal agencies. NRC presumes that the two Federal agencies\nthat operate these systems are also following FISMA and NIST guidelines (these agencies have\nnot allowed NRC to conduct their own review), and have therefore conducted an annual review.\nHowever, the agency does not request a copy of the annual review for these systems from the\nother Federal agencies. As previously discussed, the agency stated that in FY 2005 it would be\nperforming self-assessments on its contractor systems. However, Carson Associates has not\n14\n     One of the self-assessments addresses eight individual general support systems.\n\n\n                                                           38\n\x0c                                              Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                 Independent Evaluation of\n                                                                 NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\nreceived any self-assessments for the four other systems operated by a contractor or other\norganization on behalf of the agency. Subsequent to completion of field work, the agency\nprovided self-assessments for the four other systems operated by a contractor or other\norganization on behalf of the agency. However, these self-assessments were not provided in\ntime to review.\n\nQuestion 2c. Of the 6 systems that have had their contingency plans tested in the last year, 3 are\nsystems operated by a contractor or other organization on behalf of the agency. These three\nsystems are operated by other Federal agencies. NRC presumes that the two Federal agencies\nthat operate these systems are also following FISMA and NIST guidelines (these agencies have\nnot allowed NRC to conduct their own review), and have therefore performed an annual\ncontingency plan test of their systems. However, the agency does not verify that the contingency\nplans have been tested and evaluated for these systems on an annual basis. The agency does not\nhave contingency plans for the other four systems operated by a contractor or other organization\non behalf of the agency. Subsequent to the completion of field work, Carson Associates was\ninformed that contingency plan testing had been performed on 10 additional agency systems (8\nof which are general support systems resulting from the decomposition of the agency\xe2\x80\x99s local area\nnetwork/wide area network general support system). However, the agency has not provided\ndocumentation indicating the testing has been completed.\n\nQuestion 3a. As previously discussed, NRC presumes that the two Federal agencies that operate\nthree of the seven contractor systems are also following FISMA and NIST guidelines (these\nagencies have not allowed NRC to conduct their own review). However, the agency does not (1)\nmaintain copies of all certification and accreditation documentation for these systems, (2) verify\nthat the security controls have been tested and evaluated for these systems on an annual basis,\nand (3) verify that the contingency plans have been tested and evaluated for these systems on an\nannual basis.\n\nThe agency has not performed sufficient oversight and evaluation of four of the seven contractor\nsystems to ensure the information systems meet requirements of FISMA, OMB policy, NIST\nguidelines, and agency policy. The agency stated that for two of the four systems (the two\ncontractor support systems), security guidelines are written into the relevant contracts and the\ncontractors must follow NRC security procedures. However, the agency has no documentation\ndemonstrating that these systems meet FISMA requirements, specifically the requirement for\ncertification and accreditation, annual testing and evaluation of security controls, and annual\ncontingency plan testing. Carson Associates could not determine how NRC performs oversight\nof the other two contractor systems (the two federally funded research and development centers).\n\n\n\n\n                                                39\n\x0c                                                       Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                          Independent Evaluation of\n                                                                          NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\nQuestion 3b. NRC maintains information on its information systems in two different inventory\nsystems. One is primarily used to meet the requirements of FISMA, while the other is primarily\nused to support the agency\xe2\x80\x99s enterprise architecture. While FISMA only requires agencies to\nmaintain an inventory of major information systems (major applications and general support\nsystems), NRC also includes two other types of systems in its inventories \xe2\x80\x93 Listed15 and Other.16\nCarson Associates found that the agency\xe2\x80\x99s inventory is only 51-70 percent completed because\n(1) information in both of the agency\xe2\x80\x99s inventory systems is inaccurate and inconsistent and (2)\nonly one of the inventory systems contains information on system interfaces and that information\nis also inaccurate and inconsistent.\n\nQuestion 3.c. Carson Associates generally agrees with the Chief Information Officer (CIO) on\nthe number of agency owned major applications and general support systems, but does not agree\nwith the CIO on the number of agency owned systems in the listed and other categories.\n\nQuestion 3f. In FY 2004, the agency stated that it had begun assessing systems for e-\nauthentication risk. A contract was awarded in the 3rd Quarter FY 2004 and the agency stated it\nwas on track to meet the December 15, 2004, deadline for classifying all major applications.\nHowever, Carson Associates found that e-authentication risk assessments have been completed\nfor only 6 of the agency\xe2\x80\x99s 27 operational systems. The agency stated that e-authentication risk\nassessments will be supported under the interim Information Systems Security contract awarded\nAugust 11, 2005 and are expected to be completed by December 15, 2005. Carson Associates\nreviewed the completed e-authentication risk assessments and round them to be incorrect and\ninconsistent with the systems\xe2\x80\x99 FIPS 199 security categorizations.\n\nQuestion 5. As stated previously, only 8 of the 27 operational NRC information systems have\nfull authorization to operate (i.e., they have a current certification and accreditation). As a result,\nthe NRC Office of the Inspector General requested Carson Associates to undertake an overall\nreview of the NRC\xe2\x80\x99s certification and accreditation efforts. The findings from this review were\nreported in a separate report that made two recommendations to the agency to improve\ncertification and accreditation efforts at the agency. The following is a summary of the findings\nfrom the evaluation of NRC\xe2\x80\x99s certification and accreditation efforts.\n\nNRC\xe2\x80\x99s general support systems have not had a full certification and accreditation performed in\nthe past 3 years. Therefore the agency does not know whether the security controls for these\ngeneral support systems are adequate, creating unknown potential risk. As a result, all NRC\ninformation systems that depend on the security controls provided by these general support\nsystems inherit that unknown potential risk. The majority of NRC information systems are not\ncertified and accredited because (1) the certification and accreditation has lapsed or was never\ncompleted and (2) NRC information systems are being re-certified and re-accredited using new\nNIST requirements. As a result, potential risks to agency information systems are unknown.\n15\n    A Listed system is a computerized information system or application that (1) processes sensitive information\n   requiring additional security protections and (2) may be important to an NRC office\xe2\x80\x99s or region\xe2\x80\x99s operations, but\n   which is not a major application or general support system when viewed from an agency perspective. Sensitive\n   data may include individual Privacy Act information, law enforcement sensitive information, sensitive contractual\n   and financial information, safeguards, and classified information.\n16\n    An Other system is an NRC system that does not require additional security protections and is adequately\n   protected by the security provided by the NRC local area network/wide area network.\n\n\n                                                         40\n\x0c                                                Appendix C \xe2\x80\x93 FY 2005 FISMA Reporting Template for Agency IGs\n                                                                                   Independent Evaluation of\n                                                                   NRC\xe2\x80\x99s Implementation of FISMA for FY 2005\n\n\n\nQuestion 8. NRC ensures all employees and contractors receive security awareness and training.\nHowever, the agency lacks procedures for ensuring employees with significant information\ntechnology (IT) security responsibilities receive security training and awareness. The agency\nstated that it had difficulty in gathering the information needed to report on the total number of\nemployees with significant IT security responsibilities, the number of those employees who have\nreceived specialized training as described in NIST SP 800-16, and the total costs for providing IT\ntraining. The agency\xe2\x80\x99s training system does not identify which employees have significant IT\nsecurity responsibilities and what courses are considered related to IT security. The agency\ngathered its data by asking each office and region to identify staff in their offices with significant\nIT security responsibilities, describe any training that is related to IT security that those staff\nmembers have taken, and the cost of that training. The agency\xe2\x80\x99s training system also does not\naccount for any training the employee may have taken on their own time.\n\n\n\n\n                                                  41\n\x0c"